Traffic Monitoring in a Network Node

ABSTRACT

Methods and apparatus are provided for traffic monitoring in a network. In an example aspect, a method of traffic monitoring in a first network node comprises receiving a packet, determining that the packet matches a plurality of packet detection rules, and sending an indication to a second network node that the packet matches a plurality of packet detection rules.

TECHNICAL FIELD

Examples of the present disclosure relate to traffic monitoring in anetwork node.

BACKGROUND

In the 3GPP standardization forum, a reference architecture for 5Gwireless communications network is defined, for example in section 4.2.3of 3GPP TS 23.501 V0.5.0 (2017-05), which is incorporated herein byreference. FIG. 1 shows an example of a 5G network architecture 100. The5G network architecture 100 includes the following entities andinterfaces.

Packet Flow Description Function (PFDF) 102: in the 5G architecture 100,this is included within a Network Exposure Function (NEF) 104, forexample to reduce the number of network functions in 5G. The PFDF 102handles Packet Flow Descriptions (PFDs) associated with applicationidentifier(s) and transfers them to the Session Management Function(SMF) 106 via a NG GW interface. The SMF 106 transfers these PFDstowards the User Plane Function (UPF) 108 through a N4 interface and PFDManagement Procedure to enable the UPF 108 to perform accurateapplication detection when the PFDs are managed by a 3rd party serviceprovider.

A Policy and Charging Rules Function (PCF) 112 is a functional elementthat performs policy control decision and flow-based charging control.The PCF provides network control regarding the service data flowdetection.

The Session Management Function (SMF) 106 performs NAS handling for SM,User Equipment (UE) IP address allocation and management, sendingQuality of Service (QoS) and policy NG2 information to the AN via anAccess and Mobility Management Function (AMF) 114, Idle/Active aware,Policy & Offline/Online Charging i/f termination, Policy enforcementcontrol part, Lawful intercept (CP and interface to LI System), UPselection and termination of NG4 interface.

A User Plane Function (UPF) 108 (e.g. Policy Control EnforcementFunction) encompasses service data flow detection, policy enforcementand flow-based charging functionalities. Anchor point forIntra-/Inter-RAT mobility (when applicable), External IP point ofinterconnect, Packet routing & forwarding, QoS handling for User plane,Packet inspection and PCC rule enforcement, Lawful intercept (UPcollection), Roaming interface (UP), Traffic counting and reporting.Deep Packet Inspection (DPI) technology, embedded in the UPF 108,supports packet inspection and service classification, which mayclassify IP packets according to a configured tree of rules so that theyare assigned to a service session. DPI technology offers two types ofanalysis. Firstly, shallow packet inspection extracts basic protocolinformation such as IP addresses (source, destination) and otherlow-level connection states. This information typically resides in thepacket header itself and consequently reveals the principalcommunication intent. Secondly, Deep Packet Inspection (DPI) providesapplication awareness. This is achieved by analyzing the content in boththe packet header and the payload over a series of packet transactions.There are several possible methods of analysis used to identify andclassify applications and protocols that are grouped into signatures.One of them is heuristic signatures which is related to the behavioralanalysis of the user traffic. A heuristic traffic analyzer makes a bestguess classification, but identification accuracy is not guaranteed tobe 100%. This limitation is inherent in the heuristic approach. Thistype of analysis that considers the behavioral analysis of the packetsmay consume considerable processing resources because more than onepacket may be taken into account for the analysis.

In 3GPP TS 29.244, which is incorporated herein by reference, is definedan interface between the user plane and the control plane in a network.Once a session has been established between e.g. UPF 108 and SMF 106they may exchange some information such as for example Packet DetectionRules (PDRs). According to this standard, on receipt of a user planepacket, the UPF shall perform a lookup of the provisioned PDRs and:

-   -   identify first the PFCP session to which the packet corresponds;        and    -   find the first PDR matching the incoming packet, among all the        PDRs provisioned for this PFCP session, starting with the PDRs        with the highest precedence and continuing then with PDRs in        decreasing order of precedence. Only the highest precedence PDR        matching the packet shall be selected, i.e. the UP function        shall stop the PDRs lookup once a matching PDR is found.

In other words, at present in a Control and User Plane Separation (CUPS)architecture, the UPF classifies traffic according to the precedenceparameter of the PDRs. It defines the relative precedence of a PDR amongall the PDRs provisioned within an PFCP session, and matches a packetwith the first matching PDR in order of preference of the PDRs.

DPI technology uses heuristic analyzers that detect and identifyprotocols used by UEs (e.g. applications within those UEs) based on forexample binary signature patterns, metrics or connectivity patterns. Thedifficulty of correctly identifying this type of traffic means that theprotocol identification accuracy cannot be guaranteed. The higher thepercentage of encrypted packets, the lower the detection rate.Furthermore, the continuing increase in the number of connectedapplications and protocols in a typical UE device may increase theprobability of incorrect protocol detection increases because of the newprotocols and applications increment every year. For this reason,content providers (e.g. Over The Top, OTT, providers) have increasedcollaboration with operators for providing a good method for detectingtheir applications. For example, a content provider can send to theoperator, for example using a T8 interface, the rules (e.g. PDRs) formatching the traffic that corresponds to that content provider.

SUMMARY

One aspect of the present disclosure provides a method of trafficmonitoring in a first network node. The method comprises receiving apacket, and determining that the packet matches a plurality of packetdetection rules. The method also comprises sending an indication to asecond network node that the packet matches a plurality of packetdetection rules.

A further aspect of the present disclosure provides a method of trafficmonitoring in a second network node. The method comprises sending aplurality of packet detection rules to a first network node, andreceiving an indication that a packet received at the first network nodematches the plurality of packet detection rules.

Another aspect of the present disclosure provides a method of trafficmonitoring. The method comprises receiving an indication that a packetreceived at a first network node matches a plurality of packet detectionrules, and sending a modification for at least one of the packetdetection rules to the first network node.

An additional aspect of the present disclosure provides apparatus fortraffic monitoring in a first network node. The apparatus comprises aprocessor and a memory. The memory contains instructions executable bythe processor such that the apparatus is operable to receive a packet,determine that the packet matches a plurality of packet detection rules,and send an indication to a second network node that the packet matchesa plurality of packet detection rules.

A still further aspect of the present disclosure provides apparatus fortraffic monitoring in a second network node. The apparatus comprises aprocessor and a memory. The memory contains instructions executable bythe processor such that the apparatus is operable to send a plurality ofpacket detection rules to a first network node, and receive anindication that a packet received at the first network node matches theplurality of packet detection rules.

Another aspect of the present disclosure provides apparatus for trafficmonitoring. The apparatus comprises a processor and a memory. The memorycontains instructions executable by the processor such that theapparatus is operable to receive an indication that a packet received ata first network node matches a plurality of packet detection rules, andsend a modification for at least one of the packet detection rules tothe first network node.

A further aspect of the present disclosure provides apparatus fortraffic monitoring in a first network node. The apparatus is configuredto receive a packet, determine that the packet matches a plurality ofpacket detection rules, and send an indication to a second network nodethat the packet matches a plurality of packet detection rules.

A still further aspect of the present disclosure provides apparatus fortraffic monitoring in a second network node. The apparatus is configuredto send a plurality of packet detection rules to a first network node,and receive an indication that a packet received at the first networknode matches the plurality of packet detection rules.

An additional aspect of the present disclosure provides apparatus fortraffic monitoring. The apparatus is configured to receive an indicationthat a packet received at a first network node matches a plurality ofpacket detection rules, and send a modification for at least one of thepacket detection rules to the first network node.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of examples of the present disclosure, and toshow more clearly how the examples may be carried into effect, referencewill now be made, by way of example only, to the following drawings inwhich:

FIG. 1 shows an example of a 5G network architecture;

FIG. 2 is a flow chart of an example of a method of traffic monitoringin a first network node;

FIG. 3 is a flow chart of an example of a method of traffic monitoringin a second network node;

FIG. 4 is a flow chart of an example of a method of traffic monitoring;

FIG. 5 is a schematic of an example of apparatus for traffic monitoringin a first network node;

FIG. 6 is a schematic of an example of apparatus for traffic monitoringin a second network node;

FIG. 7 is a schematic of an example of apparatus for traffic monitoring;

FIG. 8 shows an example of communications between network entities; and

FIG. 9 shows another example of communications between network entities.

DETAILED DESCRIPTION

The following sets forth specific details, such as particularembodiments or examples for purposes of explanation and not limitation.It will be appreciated by one skilled in the art that other examples maybe employed apart from these specific details. In some instances,detailed descriptions of well-known methods, nodes, interfaces,circuits, and devices are omitted so as not obscure the description withunnecessary detail. Those skilled in the art will appreciate that thefunctions described may be implemented in one or more nodes usinghardware circuitry (e.g., analog and/or discrete logic gatesinterconnected to perform a specialized function, ASICs, PLAs, etc.)and/or using software programs and data in conjunction with one or moredigital microprocessors or general purpose computers. Nodes thatcommunicate using the air interface also have suitable radiocommunications circuitry. Moreover, where appropriate the technology canadditionally be considered to be embodied entirely within any form ofcomputer-readable memory, such as solid-state memory, magnetic disk, oroptical disk containing an appropriate set of computer instructions thatwould cause a processor to carry out the techniques described herein.

Hardware implementation may include or encompass, without limitation,digital signal processor (DSP) hardware, a reduced instruction setprocessor, hardware (e.g., digital or analogue) circuitry including butnot limited to application specific integrated circuit(s) (ASIC) and/orfield programmable gate array(s) (FPGA(s)), and (where appropriate)state machines capable of performing such functions.

According to the standard, e.g. 3GPP TS 29.244, PDRs must comply withthe following rules:

-   -   No more than one PDR with the same match fields in the        corresponding Packet Detection Information (PDI), i.e. with the        same set of match fields and with the same values, for the same        PFCP session.    -   There may be some overlapping rules for the same PFCP session.        For example, two PDRs may differ by having one match field set        to a specific value in one PDR and the same match field not        included in the other PDR.    -   Different PFCP sessions should have at least one PDR which        differs by at least one different match field.

With these principles defined by the standards, there may be situationswhere a packet could potentially match several PDRs. Therefore, thepacket is matched to the PDR with the highest preference among thepotentially matching PDRs. In these cases, where there is a conflictbetween PDRs and the packet is matched to the PDR with the higherprecedence, it is difficult for an operator to know if this is thecorrect behaviour, e.g. that the packet has been matched to the correctPDR (e.g. the most preferred PDR, regardless of precedence).

In some examples as describe herein, a packet may be matched in a firstnetwork node (e.g. UPF) to multiple PDRs, and this may be reported to asecond network node (e.g. SMF). The SMF may take appropriate action,such as for example updating the PDRs in the UPF. This may be done insome examples by the SMF consulting a third network node (e.g. PCF).

FIG. 2 is a flow chart of an example of a method 200 of trafficmonitoring in a first network node, such as for example a UPF, PacketGateway (PGW) or Packet Gateway-User Plane (PGW-U). The first networknode (and other nodes as described herein) may be a node in a 5Gnetwork, though the node may be in another network such as an LTEnetwork or a network with a mixture of standard types. The methodcomprises, in step 202, receiving a packet (e.g. an IP packet). In someexamples, the packet may be received from the internet (e.g. downlink)or from a UE (e.g. uplink). Step 204 of the method 200 comprisesdetermining that the packet matches a plurality of packet detectionrules. That is, for example, once it is determined that the packetmatches one PDR, the method 100 may continue to determine whether thepacket matches any more PDRs. Determining that a packet matches a PDRmay comprise for example determining that the packet matches respectivePacket Detection Information (PDI) associated with the PDR. If thepacket matches a plurality in PDRs, step 206 of the method 200 comprisessending an indication to a second network node (e.g. SMF or a PacketGateway-Control Plane, PGW-C) that the packet matches a plurality ofpacket detection rules. Thus for example the first node may report tothe second network node that there is a conflict in the PDRs configuredin the first network node, as the packet matches multiple PDRs.

In some examples, the indication sent to the second network node mayidentify the PDRs (e.g. using a PDR ID), or the indication may containthe plurality of packet detection rules, such that for example thesecond network node (or any other network node) may identify the PDRsthat are conflicting.

The method 100 may in some examples comprise, in response to determiningthat the packet matches the plurality of packet detection rules, sendingthe packet to the second network node. Thus the second network node (orany other network node) may identify the packet that has resulted in oridentified the conflict in the PDRs.

The method 100 may in some examples comprise, after sending theindication to the second network node, receiving (e.g. from the secondnetwork node) a modification for one or more of the packet detectionrules, and modifying the one or more of the packet detection rulesaccording to the modification to produce modified packet detectionrules. Therefore, for example, the PDRs may be modified such that thepacket does not match all of the modified packet detection rules(although there may already have been other PDRs configured in the firstnetwork node that did not match the packet in step 104). In some cases,the packet may match only one of the modified PDRs. In some examples,the method 100 may also include performing a respective actionassociated with each of the modified packet detection rules that thepacket matches. The respective action may be one or more of a forwardingaction rule, FAR, buffering action rule, BAR, quality enforcement rule,QER, usage reporting rule, URR, and/or policy control and charging, PCC,rule. Thus, the action may be undertaken regarding the packet after thePDRs have been modified. In other examples, the action may be takenbefore the modification—e.g. action associated with the highestprecedence matching PDR, or the actions associated with all of thematching PDRs. The modification may comprise, for example, one or moreof addition of one or more new PDRs, deletion of one or more existingPDRs, and/or changes to one or more parameters of one or more existingPDRs.

In some examples, sending the indication to the second network nodecomprises sending an indication that a threshold number of packets orbytes have matched a plurality of packet detection rules.

In some examples, each of the packet detection rules is associated witha respective further indication that indicates whether a packet matchingthat packet detection rule is permitted to match one or more otherpacket detection rules. Thus for example some PDRs may be allowed tomatch to a packet that also matches one or more other PDRs. Therefore,in some examples, sending the indication to the second network nodecomprises sending an indication that the packet matches at least onepacket detection rule associated with a further indication that thepacket is not permitted to match any other packet detection rule. Inthese cases, for example, the indication is not sent to the secondnetwork node if all of the multiple matching PDRs are allowed to bemultiple matching PDRs, i.e. the packet matches these multiple PDRs. Insome examples, the further indication (that the PDR(s) may be allowed tomatch a packet that also matches other PDR(s)) may be received from thesecond network node. The packet detection rules may be additionally oralternatively received from the second network node.

FIG. 3 is a flow chart of an example of a method 300 of trafficmonitoring in a second network node, such as for example a SessionManagement Function, SMF, or a Packet Gateway-Control Plane, PGW-C. Themethod 300 comprises, in step 302, sending a plurality of packetdetection rules to a first network node, such as for example a UserPlane Function, UPF, Packet Gateway, PGW, or Packet Gateway-User Plane,PGW-U. In some examples, the first network node may implement the method200 described above. Step 304 of the method 300 comprises receiving anindication (e.g. from the first network node) that a packet received atthe first network node matches the plurality of packet detection rules.Therefore, for example, the second network node may determine that thereis a conflict in the PDRs configured in the first network node.

In some examples, the indication identifies or contains the plurality ofpacket detection rules. Additionally or alternatively, the method 300comprises receiving the packet from the first network node. Thus, forexample, the second network node (or another network node, if thisinformation is forwarded to another network node) may determine the PDRsthat are conflicting.

The method 300 may in some examples comprise sending the indication to athird network node, such as for example a PCF, receiving a modificationfor one or more of the packet detection rules (e.g. from the thirdnetwork node), and sending the modification to the first network node.Thus for example the PDRs configured in the first network node may bemodified such that the packet matches fewer (e.g. only one) of themodified PDRs.

In some examples, each of the packet detection rules is associated witha respective further indication that indicates whether a packet matchingthat packet detection rule is permitted to match one or more otherpacket detection rules. Thus, in some examples, receiving the indicationcomprises receiving an indication that the packet matches at least onepacket detection rule associated with a further indication that thepacket is not permitted to match any other packet detection rule. Thusthe indication is only received if one or more of the conflicting PDRsare not permitted to be a multiple-matching PDR, that is, a PDR in agroup that matches the packet.

In some examples, the second network node may send the packet detectionrules to the first network node before receiving the indication.

FIG. 4 is a flow chart of an example of a method 400 of trafficmonitoring. In some examples, the method 400 may be implemented in aPCF. The method 400 comprises, in step 402, receiving an indication thata packet received at a first network node matches a plurality of packetdetection rules. The indication may be received from a second networknode, e.g. a Session Management Function, SMF, or a PacketGateway-Control Plane, PGW-C. Step 404 of the method 400 comprisessending a modification for at least one of the packet detection rules tothe first network node. In some examples, the modification is sent viathe second network node. The first network node may in some examplescomprise a UPF, PGW or PGW-U. In some examples, the first network nodemay perform the method 200 described above, and/or the second networknode may perform the method 300 described above.

FIG. 5 is a schematic of an example of apparatus 500 for trafficmonitoring in a first network node. The apparatus 500 comprisesprocessing circuitry 502 (e.g. one or more processors) and a memory 504in communication with the processing circuitry 502. The memory 504contains instructions executable by the processing circuitry 502. Theapparatus 500 also comprises an interface 506 in communication with theprocessing circuitry 502. Although the interface 506, processingcircuitry 502 and memory 504 are shown connected in series, these mayalternatively be interconnected in any other way, for example via a bus.

In one embodiment, the memory 504 contains instructions executable bythe processing circuitry 502 such that the apparatus 500 is operable toreceive a packet, determine that the packet matches a plurality ofpacket detection rules, and send an indication to a second network nodethat the packet matches a plurality of packet detection rules. In someexamples, the memory 504 contains instructions executable by theprocessing circuitry 502 such that the apparatus 500 is operable tocarry out the method 200 described above.

FIG. 6 is a schematic of an example of apparatus 600 for trafficmonitoring in a second network node. The apparatus 600 comprisesprocessing circuitry 602 (e.g. one or more processors) and a memory 604in communication with the processing circuitry 602. The memory 604contains instructions executable by the processing circuitry 602. Theapparatus 600 also comprises an interface 606 in communication with theprocessing circuitry 602. Although the interface 606, processingcircuitry 602 and memory 604 are shown connected in series, these mayalternatively be interconnected in any other way, for example via a bus.

In one embodiment, the memory 604 contains instructions executable bythe processing circuitry 602 such that the apparatus 600 is operable tosend a plurality of packet detection rules to a first network node, andreceive an indication that a packet received at the first network nodematches the plurality of packet detection rules. In some examples, thememory 604 contains instructions executable by the processing circuitry602 such that the apparatus 600 is operable to carry out the method 300described above.

FIG. 7 is a schematic of an example of apparatus 700 for trafficmonitoring (e.g. in a third network node such as a PCF). The apparatus700 comprises processing circuitry 702 (e.g. one or more processors) anda memory 704 in communication with the processing circuitry 702. Thememory 704 contains instructions executable by the processing circuitry702. The apparatus 700 also comprises an interface 706 in communicationwith the processing circuitry 702. Although the interface 706,processing circuitry 702 and memory 704 are shown connected in series,these may alternatively be interconnected in any other way, for examplevia a bus.

In one embodiment, the memory 704 contains instructions executable bythe processing circuitry 702 such that the apparatus 700 is operable toreceive an indication that a packet received at a first network nodematches a plurality of packet detection rules, and send a modificationfor at least one of the packet detection rules to the first networknode.

Additional specific example embodiments will now be described.

Embodiments of this disclosure may be based on a scenario composed by aUE properly connected to a mobile network, in which there will be a node(a UPF) with deep packet inspection and service classificationfunctionality, and an SMF sending PDR rules to the UPF.

-   -   UPF: User plane function with deep packet inspection and service        classification requires updated rules from PFDF to classify the        traffic from UE properly and apply, for instance, desired QoS or        charging.    -   SMF: Session Management Function. Responsible for selecting the        corresponding UPF for a PDU session and responsible for        controlling UPF capabilities such as for example traffic        detection, traffic reporting, QoS enforcements and/or traffic        routing.    -   UE: User equipment.    -   PCF: Policy and Charging Rules Function. This is a functional        element that performs policy control decision making and        flow-based charging control. The PCF provides network control        regarding the service data flow detection.

FIG. 8 shows an example of communications 800 between network entities,for example in embodiments where PCF does not supportmulti-classification in real time (i.e. the PCF does not support caseswhere a packet matches multiple PDRs), for example when establishingand/or performing traffic monitoring. The communications include thefollowing (which may also be the steps of a method).

-   -   Step 802: End user (e.g. UE) establishes a PDU Session    -   Step 804: SMF creates a PFCP session towards UPF. It sends the        PDRs for the end user with information about how to classify the        traffic.    -   Step 806: UPF indicates to SMF that it can provide        multi-classification.    -   Step 808: SMF indicates to PCF that the UPF can provide        multi-classification information.    -   Step 810: PCF indicates that is not able to process the        multi-classification information in real time. So, it cannot        provide modifications. It can optionally indicate which PDRs        they want to track for not having multi-classification (that is,        for example, which PDR(s) are to be associated with an        indication that they cannot be matched with a packet that also        matches other PDRs).    -   Step 812: SMF indicates to UPF which PDRs cannot have        multi-classification. In this example, PDR X and PDR Z.    -   Step 814: UPF acknowledges the previous message. Then UPF checks        all traffic.    -   Step 816: End user generates traffic.    -   Step 818: UPF reports the usage of each PDR. For those rules        that are multi-classified in the PDRs defined in step 812, it        may for example reports after reaching a certain threshold those        PDRs with multi-match.    -   Step 820: SMF answers with a reply. SMF sends this information        to PCF.    -   Step 822: PCF answers to SMF.    -   Step 824: End user disconnects of the session.    -   Step 826: SMF sends a delete request of the PFCP session.    -   Step 828: UPF sends the PDRs with the multi-classification in        the same format as in step 818.    -   Step 830: SMF sends the information to PCF.

FIG. 9 shows another example of communications 900 between networkentities, in a scenario where the PCF can modify the PDRs configured inthe UPF, for example in real time), for example when establishing and/orperforming traffic monitoring. The communications include the following(which may also be the steps of a method).

-   -   Step 902: End user establishes a PDU Session Step 904: SMF        creates a PFCP session towards UPF. It sends the PDRs for the        end user with the information about how to classify the traffic.    -   Step 906: UPF indicates to SMF that it can provide        multi-classification.    -   Step 908: SMF indicates to PCF that the UPF can provide        multi-classification information.    -   Step 910: PCF indicates that can process the        multi-classification information in real time. So, it can        provide modifications. It can send optionally which PDRs they        want to track for not having multi-classification.    -   Step 912: SMF indicates to UPF which PDRs cannot have        multi-classification. In this example, PDRX and PDR Z    -   Step 914: UPF acknowledges the previous message. Then UPF checks        all traffic.    -   Step 916: End user generates traffic.    -   Step 918: UPF reports the usage of each PDR. For those rules        that are multi-classified in the PDRs defined in step 912, it        may for example report after reaching a certain threshold those        PDRs with multi-match.    -   Step 920: SMF answers with a reply. SMF sends this information        to PCF.    -   Step 922: PCF answers to SMF. PCF processes the information        about the PDR multi-classification. The PCF (e.g. according to        the rating group of the PDR with multi-classification) can        decide whether it should provide new rules (i.e. modifications        to existing PDRs) to the SMF. PCF sends to SMF a modification of        PDRs that indicates how PDR should be updated.    -   Step 924: SMF modifies the PDRs of the PFCP session according to        the information received in the PCC rules of the PCF (i.e.        according to the modification).    -   Step 926: UPF acknowledges the message and start classifying        according to the modification.

It should be noted that the above-mentioned examples illustrate ratherthan limit the invention, and that those skilled in the art will be ableto design many alternative examples without departing from the scope ofthe appended statements. The word “comprising” does not exclude thepresence of elements or steps other than those listed in a claim, “a” or“an” does not exclude a plurality, and a single processor or other unitmay fulfil the functions of several units recited in the statementsbelow. Where the terms, “first”, “second” etc. are used they are to beunderstood merely as labels for the convenient identification of aparticular feature. In particular, they are not to be interpreted asdescribing the first or the second feature of a plurality of suchfeatures (i.e. the first or second of such features to occur in time orspace) unless explicitly stated otherwise. Steps in the methodsdisclosed herein may be carried out in any order unless expresslyotherwise stated. Any reference signs in the statements shall not beconstrued so as to limit their scope.

1-51. (canceled)
 52. A method of traffic monitoring in a first networknode, the method comprising: receiving a packet; detecting a PDRconflict, wherein the packet matches more than one packet data rule(PDR) among multiple PDRs comprising a PDR configuration at the firstnetwork node; sending an indication of the PDR conflict to a secondnetwork node; and after sending the indication of the PDR conflict:receiving a modification for the PDR configuration, the modificationcomprising one or more of a PDR addition, a PDR deletion, or a PDRchange; and modifying the PDR configuration according to themodification, to obtain a modified PDR configuration.
 53. The method ofclaim 52, further comprising at least one of: including the matched PDRsor an indication thereof in the indication sent to the second networknode; or sending the packet to the second network node.
 54. The methodof claim 52, wherein the modification is received from the secondnetwork node.
 55. The method of claim 52, further comprising, withrespect to the modified PDR configuration: determining that no PDRconflicts exist, based on the packet matching only a single PDR in themodified PDR configuration, and, in response, applying a respectiveaction associated with that single matched PDR; or determining that PDRconflicts still exist, based on the packet matching more than one PDR inthe modified PDR configuration, and further determining that none of themultiple matched PDRs disallow PDR conflicts and, in response, applyingrespective actions associated with the multiple matched PDRs.
 56. Themethod of claim 55, wherein each respective action applied is one ormore of a forwarding action rule (FAR), a buffering action rule (BAR), aquality enforcement rule (QER), a usage reporting rule (URR), or apolicy control and charging (PCC) rule.
 57. The method of claim 52,further comprising determining that none of the matched PDRs disallowPDR conflicts and, in response, performing a respective actionassociated with each of the matched PDRs.
 58. The method of claim 57,wherein each respective action is one or more of a forwarding actionrule (FAR), a buffering action rule (BAR), a quality enforcement rule(QER), a usage reporting rule (URR), or a policy control and charging(PCC) rule.
 59. The method of claim 52, wherein sending the indicationof the PDR conflict to the second network node is conditioned ondetermining that a threshold number of PDR conflicts has occurred at thefirst network node, and wherein the indication sent to the secondnetwork node indicates that the threshold number of PDR conflicts hasbeen reached.
 60. The method of claim 52, wherein the second networknode comprises a Session Management Function (SMF) or a PacketGateway-Control Plane (PGW-C) in a wireless communications network, andwherein the first network node comprises a User Plane Function (UPF), aPacket Gateway (PGW), or a Packet Gateway-User Plane (PGW-U).
 61. Amethod of traffic monitoring in a second network node, the methodcomprising: sending multiple packet detection rules (PDRs) to a firstnetwork node, the multiple PDRs comprising a PDR configuration for thefirst network node; receiving an indication of a PDR conflict at thefirst network node, wherein a packet received at the first network nodematched more than one PDR among the multiple PDRs; and responsive toreceiving the indication of the PDR conflict: sending the indication toa third network node; receiving, from the third network node, amodification for the PDR configuration, the modification being one ormore of a PDR addition, a PDR deletion, or a PDR change; and sending themodification to the first network node, to trigger the first networknode to modify the PDR configuration to obtain a modified PDRconfiguration in which, compared to the PDR configuration beforemodification, at least one PDR is added, deleted, or changed.
 62. Themethod of claim 60, wherein the third network node comprises a PacketControl Function (PCF) in a wireless communications network, wherein thesecond network node comprises a Session Management Function (SMF) or aPacket Gateway-Control Plane (PGW-C) in the wireless communicationsnetwork, and wherein the first network node comprises a User PlaneFunction (UPF), a Packet Gateway (PGW), or a Packet Gateway-User Plane(PGW-U) in the wireless communications network.
 63. A method of trafficmonitoring, the method comprising: receiving an indication of a packetdata rule (PDR) conflict at a first network node, wherein a packetreceived at the first network node matched more than one PDR amongmultiple PDRs comprised in a PDR configuration at the first networknode; determining, in response to the indication of the PDR conflict, amodification for the PDR configuration, the modification comprising oneor more of a PDR addition, a PDR deletion, or a PDR change; and sendingthe modification to the first network node or to a second network nodethat is operative to send the modification to the first network node, totrigger the first network node to obtain a modified PDR configurationaccording to the modification.
 64. The method of claim 63, wherein themodification resolves the PDR conflict.
 65. The method of claim 63,wherein the second network node comprises a Session Management Function(SMF), or a Packet Gateway-Control Plane (PGW-C) in a wirelesscommunications network, and wherein the first network node comprises aUser Plane Function (UPF), Packet Gateway (PGW), or Packet Gateway-UserPlane (PGW-U).
 66. The method of claim 65, wherein the method isperformed by a Packet Control Function (PCF) of the wirelesscommunications network.
 67. An apparatus for traffic monitoring in afirst network node, the apparatus comprising a processor and a memory,the memory containing instructions executable by the processor such thatthe apparatus is configured to: detect a PDR conflict with respect to apacket received by the first network node, wherein the PDR conflict isdetected as the packet matching more than one packet data rule (PDR)among multiple PDRs comprising a PDR configuration at the first networknode; send an indication of the PDR conflict to a second network node;and after the indication of the PDR conflict is sent: receive amodification for the PDR configuration, the modification comprising oneor more of a PDR addition, a PDR deletion, or a PDR change; and modifythe PDR configuration according to the modification, to obtain amodified PDR configuration.
 68. The apparatus of claim 67, wherein theapparatus is further configured to perform at least one of: include thematched PDRs or an indication thereof in the indication sent to thesecond network node; or send the packet to the second network node. 69.The apparatus of claim 67, wherein, with respect to the modified PDRconfiguration, the apparatus is further configured to: determine that noPDR conflicts exist, based on the packet matching only a single PDR inthe modified PDR configuration, and, in response, applying a respectiveaction associated with that single matched PDR; or determine that PDRconflicts still exist, based on the packet matching more than one PDR inthe modified PDR configuration, further determine that none of themultiple matched PDRs disallow PDR conflicts, and, in response, applyrespective actions associated with the multiple matched PDRs.
 70. Theapparatus of claim 67, wherein, in response to the apparatus determiningthat none of the matched PDRs disallow PDR conflicts, the apparatus isconfigured to perform a respective action associated with each of thematched PDRs.
 71. The method of claim 52, wherein the second networknode comprises a Session Management Function (SMF) or a PacketGateway-Control Plane (PGW-C) in a wireless communications network, andwherein the first network node comprises a User Plane Function (UPF), aPacket Gateway (PGW), or a Packet Gateway-User Plane (PGW-U).